Shubham P Shakya

1) Vulnerability Management (APAC Servers)

• Lead APAC VM governance for AWS server estates—risk-based prioritization, patch cadence, exception control, and closure assurance.

2) Penetration Testing (External + Internal)| Infra)

• Lead external and internal infrastructure penetration testing, including network devices like Wi-Fi and access points across APAC markets, including internet-facing exposure assessments.

3) IT/OT Plant Security (APAC OT Plants)

• Deliver IT/OT plant assessments across APAC—Vulnerability Assessment, Penetration Testing, and misconfigurations and missing patch identification.
• Run governance cadence with plant and operations stakeholders to ensure remediation execution without disrupting production.
• Translate OT risks into practical hardening actions, aligned with industrial constraints and safety requirements.

4) Threat Defense and Threat Hunting (Decisions and Actions)

• Approve and operationalized IOC, malicious URL, IP blocking, and manage controlled whitelisting exceptions based on risk validation.
• Review monthly threat-hunting reports, assign remedial actions, and track completion for measurable exposure reduction.
• Perform rapid, emerging threat research, publishing concise advisories that enable faster, preventive controls.

5) Incident and SOC Support (High/Critical)

• Investigate high and critical alerts (including SentinelOne and SOC escalations), and coordinate containment and remediation as a secondary role.
• Drive closure workflows with IT teams, and ensure evidence-based completion for audit-ready incident handling.

6) Strategic Security Leadership and Regional Governance (APAC)

• Act as the APAC Regional Security Officer for cross-market security delivery, maintaining a strong stakeholder cadence and delivery discipline.
• Represent APAC in the Cloud Security Council and IT/OT convergence committees, aligning regional execution with global direction.
• Lead vendor/tool evaluation and procurement support (technical/security reviews, RFP inputs, PO/SES for VAPT tools/licenses).

7) Operational Impact and Signature Outcomes

• Uplifted baseline posture by resolving misconfigurations and CIS L1 gaps, and patched Critical and High vulnerabilities, guided by threat intel at every step and phase.

1. Vulnerability Management (Enterprise Scale)

• Led enterprise infrastructure VM for approximately 50,000 servers and 5,000 network devices, governing the full lifecycle (scan, publish, remediate, validate, sign-off) with risk-based prioritization and change alignment.
• Architected and standardized the Tenable ecosystem (SecurityCenter, Nessus Director, authenticated scanners), publishing 200k–250k vulnerabilities, and driving consistent closure and false-positive reduction through policy and process maturity.

2. Infrastructure Hardening and Configuration Compliance (CIS / MBSS)

• Built MBSS baseline standards mapped to CIS benchmarks, and expanded coverage across Windows, RHEL, Oracle DB, Cisco NX-OS, and other enterprise platforms.
• Developed and validated NASL audit files for authenticated configuration assessments, enabling measurable compliance verification, and control uplift at scale.

3. Infra Penetration Testing (External and Internal)

• Led an infra-PT team of nine members, delivering black, grey, and white box testing across internal infrastructure and public-facing estates, producing PoCs and remediation guidance with closure validation.
• Executed advanced PT using tools and controlled automation (e.g., Nmap, Metasploit, Nuclei), including privilege escalation and exposure validation—driving risk reduction through retest-driven sign-off.

4. Threat Intelligence & Rapid Advisory Response.

• Built a continuous CTI workflow (NVD monitoring + validation), converting emerging CVEs into actionable advisories with impact, affected versions, remediation steps, and OEM references.
• Automated cloud exposure testing by fetching live public IPs across AWS, Azure, and GCP, and running continuous checks to detect newly exposed services quickly.

5. Red Teaming & Detection Engineering Support

• Designed attack simulations and unauthorized behavior test cases to validate and strengthen SOC detection coverage, and reduce monitoring blind spots.
• Reviewed SIEM detection logic and supported improvements through adversary emulation, aligned to realistic tactics and techniques.

6. Cloud, Container, Platform Security.

• Assessed Docker images in DevSecOps pipelines (Trivy/in-house tooling), enforced pipeline gating for high-risk images, managed exceptions, and tested OpenShift/OpenStack platform posture.

7. Audit and Regulatory Readiness

• Owned audit readiness for VM, PT, and Patch processes, supporting regulatory audits including RBI, DOT, ITGC, and ISO with walkthrough, artifacts, and evidence packs.
• Strengthened governance maturity through standardized process documentation, and traceable closure validation.

8. Key Programs Delivered (Representative Engagements)

• Delivered security assessments for NIC Datacenters (New Delhi, Bhubaneshwar, Pune, Hyderabad), and the MEA Datacenter Security Project, improving hardening and risk posture.
• Executed assessments for major enterprise programs, including TATA POWER (Mumbai) and multiple Jio platforms (FYND, Haptik.AI, Jio Financial Services, GSMA-SMDP, JioMeet, and acquired entities), driving measurable risk reduction and compliance alignment.

1. Vulnerability Management (Group Governance)

• Headed group-wide vulnerability management for Allcargo (parent), GATI, and ECU Worldwide, covering global on-prem and remote infrastructure (servers, endpoints, network), with closure governance.

2. Tenable Deployment and Standardization

• Deployed and scaled Tenable Nessus globally (SecurityCenter, scanners, agents), standardizing scan execution, reporting, and the vulnerability lifecycle process across locations.

3. ISMS and ISO 27001 Enablement.

• Partnered with the Group CISO to implement ISMS and successfully supported ISO 27001 certification with zero non-conformities, operationalizing SOPs, SOAs, and process documents.

4. Patch Governance and Zero-Day Response

• Implemented patch governance and approved patch publishing, accelerating remediation for high-risk and zero-day vulnerabilities through CTI advisories and validation workflows.

5. Executive Reporting and Stakeholder Cadence

• Delivered weekly security posture updates to the CTO/CISO, driving prioritization, ownership, and closure follow-ups with infra, application teams, OEMs, and service delivery stakeholders.

6. Network and Application Security Assurance.

• Strengthened security through architecture reviews (segmentation/DMZ), OWASP-aligned web assessments, WAF monitoring, and developer/business enablement for remediation.

• Conducted baseline and vulnerability assessments, on approximately 40,000+ servers quarterly using Tenable's Nessus Scanner.
• Managed Nessus Security Center by creating scan zones, integrating Nessus scanners into SecurityCenter, upgrading all onboarded security scanners, and modifying scan queries.
• Worked with Trend Micro Deep Security, specifically HIPS in both tap-mode and inline mode.

• Monitored DLP and firewall activities to ensure data protection and network security.
• Conducted email monitoring, wiretapping, and whitelisting of email IDs to maintain secure communication channels.
• Ensured data rights management through Information Rights Management (IRM) using Seclore.